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Applicants hereby submit the following Arguments, in five (5) or less total pages, 
as attachment to the Pre- Appeal Brief Request for Review Form (PTO/SB/33). A Notice 
of Appeal is concurrently filed. 

Applicants' arguments in the Amendment and Reply under 37 C.F.R. § 1.111 filed 
on November 23, 2009 (hereinafter "Reply"), were not properly considered or responded 
to by the Examiner in the final Office Action mailed February 24, 2010 (hereinafter the 
"Final OA"). The Examiner's response was legally and factually deficient because the 
Examiner failed to provide sufficient evidence that claims 46-70 failed to comply with the 
written description requirement of 35 U.S.C. § 112, first paragraph, and because the 
Examiner failed to show that the combination of U.S. Patent No. 5,870,479 to Feiken, et al 
("Feiken") and U.S. Patent No. 6,791,947 to Oskouy, et al ("Oskouy") taught each and 
every feature of independent claims 46 and 64. 

1. Applicants' Specification Conveys with Reasonable Clarity to Persons Skilled in the 
Art that Applicants Were in Possession of the Features of Claims 46-70 

In the Final Office Action, the Examiner rejected claims 46-70 under 35 U.S.C. § 
112, first paragraph, for allegedly failing to comply with the written description 
requirement. Specifically, the Examiner states 



In the original specification, Examiner was not able to find a 
classification module determining security association information 
with each data packet in a plurality of data packets associated with a 
data flow between a source and destination simultaneously. 
Examiner is not convinced that 'four datagrams can be processed 
simultaneously and out of order to keep throughput at full rated 
wirespeed" as cited by Applicant fully supports the claim limitation as 
claimed above . . . 



Sir: 



(Final Office Action, p. 5.) Applicants respectfully disagree. 
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The specification discloses, for example, an Advanced Classification Engine 
(ACE) that "functions as a complete hardware IPSec Security Association Database 
lookup engine." (Specification, 21:3-4.) Thus, contrary to the Examiner's position, the 
processing of the ACE defined in the specification includes determining security 
association information for a data packet. 

The specification further states that the ACE has "fully pipelined non-blocking out- 
of order design. Four datagrams can be processed simultaneously and out of order to 
keep throughput at fully rated wirespeed." (Specification, p. 21, 11. 1 8-20.)(emphasis 
added.) In addition, ACE implements non-blocking out-of-order processing of up to four 
packets." (Specification, 25:3-6.) Because the ACE processing includes security 
association determination, this passage discloses performing this security association 
determination processing on multiple datagrams simultaneously. 

Accordingly, Applicants' specification sufficiently describes "wherein the 
classification module is configured to determine the security association information for 
the plurality of data packets simultaneously" as recited in independent claim 46 and 
"simultaneously determining security association information associated with each data 
packet in the plurality of data packets in the data flow," as recited in independent claim 64. 

Reconsideration and withdrawal of this rejection as to independent claims 46 and 
64 and their respective dependent claims 47-63 and 65-70 are respectfully requested. 

2. The Combination of Feiken and Oskouy Fails to Teach Each and Every Feature of 
Independent Claims 46 and 64 

In the Final Office Action, the Examiner maintained the rejection of claims 46-49, 
55-57, 60, and 64-66 under 35 U.S.C. § 103(a) as allegedly being unpatentable over 
Feiken in view of Oskouy. Because the combination of Feiken and Oskouy fails to 
disclose each and every feature of independent claims 46 and 64, Applicants traverse and 
request that the rejection be withdrawn. 

In Feiken, a "data packet which enters the device 1 is first temporarily stored in the 
buffer 10. During this time, the header of the packet is copied to the identification unit 14, 
where the channel (in the case of ATM, the virtual channel or the virtual path) of the data 
packet is determined." (Feiken, 3:66 - 4:3.) Using this identification, the control unit 
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"activates the other sections of the device." (Feiken, 4:3-7.) In Feiken, "the buffer 10 is 
instructed to release the data packet concerned, while the memory 13 is instructed to place 
the information belonging to said channel (for example, the key and the status of the 
encrypting/decrypting procedure, and optionally the software of a processing) on the bus 
15." (Feiken, 4:8-14.) 

Thus, Feiken fails to disclose at least the feature of "a classification module in the 
device that determines security association information associated with each data packet in 
a plurality of data packets associated with a data flow between a source and destination, 
wherein the classification module is configured to determine the security association 
information for the plurality of data packets simultaneously," as recited in independent 
claim 46 and "receiving, in the device, at least a portion of a header for each data packet in 
a plurality of data packets associated with a data flow between a source and destination; 
simultaneously determining security association information associated with each data 
packet in the plurality of data packets in the data flow," as recited in independent claim 64. 

Furthermore, the Examiner acknowledges that Feiken "does not explicitly state that 

the classification module is configured to determine the security association information 

associated for the plurality of data packets simultaneously." (Final OA, pp. 6-7.) However, 

the Examiner alleges that Oskouy provides this missing teaching. Applicants disagree. 

a. Oskouy fails to disclose determination of security association information for a 
data packet 

Oskouy generally describes a "method and apparatus for in-line processing a data 
packet while routing the packet through a router in a system transmitting data packets 
between a source and a destination over a network including the router." (Oskouy, 
Abstract.) Nowhere does Oskouy disclose or even mention providing security processing. 

Applicants further disagree with the Examiner's understanding of the term 
"security association." As discussed in Applicant's November 2009 Reply, the term 
security association has a well-known meaning to persons of skill in the art. A security 
association provides a mechanism to associate security services and key(s) with traffic to 
be protected and the parties with whom traffic is being exchanged. The specification 
repeatedly explains that security association information includes at a minimum 
cryptographic keys. (Specification, 8:9-10; 11:1-2; 12:3-5; 23: 6-10.) This is supported by 
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the Internet Engineering Task Force (IETF) that defines a security association and outlines 
required security association information to be stored in a security association database for 
retrieval See e.g., IETF RFC 2401. A copy of IETF RFC 2401 is attached as Exhibit A. 
In RFC 2401, the IETF required security association information includes sequence 
number, anti-reply data, authentication algorithm and keys for IPSec authentication header 
(AH) implementations and IPSec encapsulating security payload (ESP) implementations, 
and encryption algorithm and keys for IPSec ESP implementation, and lifetime of the 
security association. See IETF RFC 2401 , p. 21 . 

The Examiner points to the Security Association Table in Applicant's Specification 
and appears to conclude that "IP address, port and protocol" are security association 
information. This is not accurate. The IP address, port and protocol are "selectors" used 
to identify a security association. See IETF RFC 2401, § 4.4.2. The specification further 
explains that "classification occurs based on a flexible set of selectors as follows: 
Quintuple of <src IP addr, dst IP addr, src port, dst port, protocol> ..." (Specification, 
13:11-16.) Thus, these fields are present in the Security Association Table because they 
are the selectors used to identify the selected security association record. These fields are 
not security association information as would be understood by a person of skill in the art. 

The Examiner further points to col. 5, lines 34-41 of Oskouy which mentions 
reading a key from the packet. Applicants note that the key referred to in Oskouy is not an 
encryption key and is not used for any security processing. Accordingly, the key in 
Oskouy is not "security association" information. Accordingly, Oskouy does not disclose 
"determining] security association information" associated with a data packet as recited in 
independent claims 46 and 64. 

b. Oskouy fails to disclose simultaneously determining security association 
information associated with each data packet 

In the Final Office Action, the Examiner points to the following disclosure of 
Oskouy as teaching simultaneously determining security association information: 

Packet pre-processing is accelerated by using multiple embedded micro- 
code engines to perform L2 header processing for received packets. Pre- 
processing includes segmentation of the packets into cells and 
distribution of the cells across memory within the router while 
processing L3 header data in parallel. 
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(Oskouy, 4:24-29.) Applicants disagree with the Examiner's understanding of Oskouy. 
Oskouy does not disclose that multiple packets are processed in parallel. Oskouy explains 
that L3 header processing (of a single packet) is "performed in parallel to the packing of 
data by cell packeterizer 391." (Oskouy, 10:43-45.) Nowhere does Oskouy disclose 
performing L3 header processing on multiple packets in parallel. Additionally, the 
multiple micro-code engines are used in the processing of a single header (not multiple 
headers in parallel). {See Oskouy, 8:36-51.) Accordingly, Feiken also fails to disclose at 
least the feature of "a classification module in the device that determines security 
association information associated with each data packet in a plurality of data packets 
associated with a data flow between a source and destination, wherein the classification 
module is configured to determine the security association information for the plurality of 
data packets simultaneously," as recited in independent claim 46 and "receiving, in the 
device, at least a portion of a header for each data packet in a plurality of data packets 
associated with a data flow between a source and destination; simultaneously determining 
security association information associated with each data packet in the plurality of data 
packets in the data flow," as recited in independent claim 64. 

Based on the above, Applicants respectfully request that the rejection of 
independent claim 46 and its dependent claims as allegedly being obvious over the 
combination Feiken and Oskouy and/or Ellis and Ober and independent claim 64 and its 
dependent claims as allegedly being obvious over the combination Feiken and Oskouy 
and/or Leung be withdrawn. 

Respectfully submitted, 

Sterne, Kessler, Goldstein & Fox p.l.l.c. 
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Attorney for Applicants 
Registration No. 50,633 

Date: _^:^2il,I^ll2£.lf!.™ 

1 100 New York Avenue, N.W. 
Washington, D.C. 20005-3934 
(202)371-2600 



